Final warning: Popular browsers will soon stop accepting SHA-1 certificates
Starting with Chrome 56, planned to be released to the wider public at the end of January 2017, Google will remove support for SHA-1 certificates. Other browser makers plan to do the same.
“The SHA-1 cryptographic hash algorithm first showed signs of weakness over eleven years ago and recent research points to the imminent possibility of attacks that could directly impact the integrity of the Web PKI,” Chrome Security team member Andrew Whalley explained.
“Website operators are urged to check for the use of SHA-1 certificates and immediately contact their CA for a SHA-256 [i.e. SHA-2] based replacement if any are found,” he advised.
Certificate Authorities stopped issuing SHA-1 signed SSL/TLS certificates on January 1, 2016, but some of them are still valid.
According to the numbers provided by cybersecurity company Venafi, 35% of websites are still using SHA-1 certificates. But most of the most popular sites have done the work and have already migrated away from them.
“Leading browser providers such as Microsoft, Mozilla and Google, have publicly stated they will no longer trust sites that use SHA-1 from early 2017. By February 2017, Chrome, Firefox and Edge, will mark websites that still rely on certificates that use SHA-1 algorithms as insecure,” Venafi’s Scott Carter warns.
As a result, web transactions and traffic may be disrupted in a variety of ways, he notes. Browsers will display warnings to users that the site is insecure and will not display the ‘green padlock’ on the address line for HTTPS transactions. Also, sites may experience performance problems and access to them may be blocked.
Google will, for now, make an exception for certificates that chain to a locally installed trust anchor, such as those of a private PKI within an enterprise.
“Starting with Chrome 54 we provide the EnableSha1ForLocalAnchors policy that allows certificates which chain to a locally installed trust anchor to be used after support has otherwise been removed from Chrome,” says Whalley.
“Features which require a secure origin, such as geolocation, will continue to work, however pages will be displayed as ‘neutral, lacking security’. Without this policy set, SHA-1 certificates that chain to locally installed roots will not be trusted starting with Chrome 57, which will be released to the stable channel in March 2017.”
This option will be supported until January 1, 2019, but he warns that they “may also remove support before 2019 if there is a serious cryptographic break of SHA-1.”
The security community has been advising a collective move to SHA-2, even though it could make many sites inaccessible to users who use older browsers or devices incompatible with it and can’t afford to upgrade.